AMPRNet 44Net CONNECT

WIREGUARD VPN TUNNEL

NetBSD CONFIGURATION

(2026-02-16)

44Net is shorthand for Internet network 44 (44.0.0.0/9 & 44.128.0.0/10), also known as AMPRNet. Since its allocation to amateur radio in the mid-1980s, the network has been used by amateur radio operators to conduct scientific research and to experiment with digital communications over radio. The goals are to of advance the state of the art of Amateur Radio networking, and to educate amateur radio operators in these techniques.

If you are a licensed amateur radio operator, you can ask for a public IP address to connect to the worldwide 44net amateur radio network with high-performance points of presence.

44Net IP addresses are public, globally routable, and static — no NAT, no CGNAT. IP as it was meant to be. You can setup a WEB server on your RaspberryPi or SBC computer and will be reachable from the whole Internet with the help of a WireGuard provided tunnel.

44Net supports and provides easy-to-use configuration files for the following operating systems:


NetBSD is not officially supported but after some trial an error and with the help of NetBSD netbsd-users mailing list I could make it work fine in my little RaspberryPi ZeroW board.

NetBSD has its own WireGuard implementation. It is supported into the kernel by the wg device. The wg interface was implemented by Ryota Ozaki and first appeared in NetBSD 10.0. The man page can be visited here: wg(4) - NetBSD Manual Pages


if_wg module must be loaded and boot time. This can be configured in /etc/modules.conf file:

# cat /etc/modules.conf 


if_wg

WireGuard VPN tunnel can be set UP and running with this script:

# cat levantatunel.sh 


#!/bin/sh
set -x
ifconfig wg0 create mtu 1380
ifconfig wg0 inet 44.a.b.c/32
ifconfig wg0 inet6 abcd::efgh:ijkl:mno:pqrs/128
wgconfig wg0 set private-key /etc/wg/wg0.priv
wgconfig wg0 add peer A \
asdfghjklqwerty= \
--allowed-ips=0.0.0.0/0,::/0 \
--endpoint=44.x.y.1:44000
ifconfig wg0 up
 
sysctl -w net.inet.tcp.mss_ifmtu=1

route add 44.x.y.1 192.168.1.1
route delete default
route add default 44.a.b.c

where


NetBSD WG implementation does not have a PersistentKeepalive parameter setting. That can be solved with the following workaround:

# cat pingkeepalive.sh 


#!/bin/sh
while(true)
do
/sbin/ping -c 1 44.a.b.c > /dev/null 2>&1
sleep 15
done

Pinging our own IP address at 15 seconds intervals mantain the tunnel alive. If we do not do it, our WEB server will have difficulties to respond after several seconds of inactivity. You can experiment with ping interval until you find the right one. Suggested 25 seconds was not enough in my case.

The tunnel can be destroyed with the following script that also return routes to the original state:

# cat destruyetunel.sh 


#!/bin/sh
set -x
wgconfig wg0 delete peer A
ifconfig wg0 down
ifconfig wg0 destroy

route delete 44.x.y.1
route add default 192.168.1.1

In order to DNS resolving you must add 1.1.1.1 and 1.0.0.1 lines to the /etc/resolv.conf file. I use static address with no dhcpcd.

# cat /etc/resolv.conf 


domain remigio
nameserver 192.168.1.1
nameserver 8.8.8.8
nameserver 1.1.1.1
nameserver 1.0.0.1

To automate it at startup, I created a rc.d service:

# cat /etc/rc.d/tunelampr 


#!/bin/sh
#
# $NetBSD: nettest,v 1.0 2023/10/30 18:08:03 mycroft Exp $
#

# PROVIDE: tunelampr
# REQUIRE: NETWORK
# BEFORE:  LOGIN

$_rc_subr_loaded . /etc/rc.subr

name="tunelampr"
rcvar=$name
start_cmd="tunelampr_start"
stop_cmd="tunelampr_stop"

tunelampr_start()
{
        echo "Starting AMPR.org tunnel..."
        /root/SCRIPTS/tunelAMPRorg/levantatunel.sh > /dev/null 2>&1
        /root/SCRIPTS/tunelAMPRorg/pingkeepalive.sh > /dev/null 2>&1 &

}
tunelampr_stop()
{
        echo "Stopping  AMPR.org tunnel..."
    /root/SCRIPTS/tunelAMPRorg/destruyetunel.sh > /dev/null 2>&1
        pkill -f "/root/SCRIPTS/tunelAMPRorg/pingkeepalive.sh"

}

load_rc_config $name
run_rc_command "$1"

Service should be enabled in /etc/rc.conf:

# cat /etc/rc.conf |grep tun

tunelampr=YES